In many cases, when something goes wrong during authentication, the user is left stranded with often a generic error message on the gateway. We can do better.
1) Better error messages for users in specific cases. Not part of this story, but search for label "error-messaging" to find some.
2) Redirect the user back to the service provider.
The user want to login to a service provider, that means that ending up at an error page at our gateway is not what he/she is looking for. SAML provides a means standard way of redirecting the user back to the SP using a SAML Response with an error Status Code. The Stepup gateway already uses this mechanism in specific situation. There are two issues when using this mechanism in practice:
in many cases the SP does not handle this case well
It prevents us from showing additional helpful information
As a solution I propose to continue to show an error screen where we do so now but add a "go back to (name of service provider) button" to this screen that redirects the user back using the SAML error mechanism. It is open for discussion whether we want to insert this screen in situation where we currently do not. My thinking now is that:
When we receive a SAML error from the remote IdP (i.e. OpenConext engine) upstream we pass this on without inserting an error screen, the rational being that upstream likely took care of this already
When the error originates in the gateway (and we know the SP involved in the request) we show the error page with the "back" button.
This issue is imported from pivotal - Originaly created at May 23, 2017 by Pieter van der Meulen
1) Better error messages for users in specific cases. Not part of this story, but search for label "error-messaging" to find some. 2) Redirect the user back to the service provider.
The user want to login to a service provider, that means that ending up at an error page at our gateway is not what he/she is looking for. SAML provides a means standard way of redirecting the user back to the SP using a SAML Response with an error Status Code. The Stepup gateway already uses this mechanism in specific situation. There are two issues when using this mechanism in practice:
As a solution I propose to continue to show an error screen where we do so now but add a "go back to (name of service provider) button" to this screen that redirects the user back using the SAML error mechanism. It is open for discussion whether we want to insert this screen in situation where we currently do not. My thinking now is that: